Hello all, I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated... Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed. I enabled and changed the contents of the originate-coa according to it's documentation, using the correct NAS IP address, secret etc and added the coa_server = coa under the appropriate NAS section in clients.conf. According to my understanding FreeRADIUS should have generated coa messages to the NAS but it didn't do anything. Is this the correct way to forcibly disconnect the user using originate-coa? Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}? Using radclient (cat packet.txt | radclient -x <nas ip address>:3799 disconnect "secret"") with the Acct-Session-Id obtained from freeradius -X output and the NAS coa secret, the user was disconnected normally. Thank you very much in advance, Antonios Kalkakos
On 30/05/2022 09:08, Antonios Kalkakos wrote:
Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed. I enabled and changed the contents of the originate-coa according to it's documentation, using the correct NAS IP address, secret etc and added the coa_server = coa under the appropriate NAS section in clients.conf.
According to my understanding FreeRADIUS should have generated coa messages to the NAS but it didn't do anything.
No. FreeRADIUS needs some trigger to tell it to do something. For example during an accounting Interim-Update you may see that the user is outside their time window, therefore send a CoA disconnect. originate-coa gives examples of how you would set the home server (the NAS) to send the CoA to, and how you create a virtual server to process the CoA packets before they are sent, and when the reply is received.
Using radclient (cat packet.txt | radclient -x <nas ip address>:3799 disconnect "secret"") with the Acct-Session-Id obtained from freeradius -X output and the NAS coa secret, the user was disconnected normally.
Yes. That's good. At least you know CoA packets work... they are often ignored. If you don't have frequent enough Interim-Updates, then you could for example use radclient (or something else) to send CoA packets to FreeRADIUS. That can then for example look up in the database to fill out the full CoA attributes that the NAS needs to see (for example, look up the NAS the user session is on and add the Acct-Session-Id), and generate a new CoA to send to the correct NAS. See the sites-available/coa-relay for an example of this. This is useful for e.g. billing systems that know the User-Name, but nothing else. FreeRADIUS will take care of the hard work of ensuring the CoA packet is correct, and is sent to the correct place. -- Matthew
On May 30, 2022, at 4:08 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated...
Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed.
Nothing in the documentation says that's what happens. Unfortunately, the users session is 100% controlled by the NAS. Including disconnection timers. The Login-Time attribute causes FreeRADIUS to send a Session-Timeout to the NAS. Read the debug output to see this. The NAS should disconnect the user after that timeout period has expired. If it doesn't (and it's not a toy RADIUS client), then the NAS is broken. Throw it in the garbage, and get one which works properly. i..e. the server doesn't need to send a disconnect packet. You don't need to configure anything special. Just send "Session-Timeout = 3600", and the user is magically kicked offline an hour later.
Is this the correct way to forcibly disconnect the user using originate-coa?
No.
Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}?
Wherever you want, and where it works. This is where most people get confused with FreeRADIUS. They have a mental model of the configuration files as "configure this setting, and FreeRADIUS will do what I want". That isn't the way it works. The FreeRADIUS configuration policies (unlang) are a programming language intended for packet processing. WHEN i receive a packet containing X, SEND a reply containing Y So the question of "where do I put the update coa", is really "at which point in the processing did I decide that the user needs to be disconnected". That's where the "update coa" goes. Alan DeKok.
Fortunately my NAS respects the Session-Timeout :) Matthew and Alan thank you very much for your clarifications! On 30/05/2022 16:22, Alan DeKok wrote:
On May 30, 2022, at 4:08 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated...
Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed.
Nothing in the documentation says that's what happens.
Unfortunately, the users session is 100% controlled by the NAS. Including disconnection timers. The Login-Time attribute causes FreeRADIUS to send a Session-Timeout to the NAS. Read the debug output to see this.
The NAS should disconnect the user after that timeout period has expired. If it doesn't (and it's not a toy RADIUS client), then the NAS is broken. Throw it in the garbage, and get one which works properly.
i..e. the server doesn't need to send a disconnect packet. You don't need to configure anything special. Just send "Session-Timeout = 3600", and the user is magically kicked offline an hour later.
Is this the correct way to forcibly disconnect the user using originate-coa?
No.
Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}?
Wherever you want, and where it works.
This is where most people get confused with FreeRADIUS. They have a mental model of the configuration files as "configure this setting, and FreeRADIUS will do what I want". That isn't the way it works.
The FreeRADIUS configuration policies (unlang) are a programming language intended for packet processing.
WHEN i receive a packet containing X, SEND a reply containing Y
So the question of "where do I put the update coa", is really "at which point in the processing did I decide that the user needs to be disconnected". That's where the "update coa" goes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Antonios Kalkakos -
Matthew Newton